In July, Connecticut passed a largely unnoticed new law that followed in Ohio and Utah’s footsteps in limiting damage or creating positive defenses for businesses that experience a data breach after implementation. a qualifying cybersecurity program (also known as a written information security program). .
As of October 1, 2021, a Connecticut company that implements an eligible formal written cybersecurity program that contains “administrative, technical and physical safeguards for the protection of personal or restricted information” before a data breach is immune punitive damages in cases which allege non-protection of personal and confidential information. This new law (Public Act 21-119) enacted by the Connecticut legislature on July 6, 2021, was created to encourage companies to adopt cybersecurity standards by offering protections to those who implement the controls. reasonable cybersecurity standards identified in the law. This statute only applies to tort actions brought under Connecticut law in the state court of Connecticut.
These accepted cybersecurity frameworks are the current versions of the following:
- The âFramework for Improving Critical Infrastructure Cybersecurityâ published by the National Institute of Standards and Technology
- The National Institute of Standards and Technology Special Publication 800-171, which governs controlled unclassified information
- National Institute of Standards and Technology Special Publications 800-53 and 800-53a
- The Federal Risk Management Program and Management Program âFedRAMP Security Assessment Frameworkâ, applicable to cloud-based services
- The “Center for Internet Security Critical Security Controls for Effective Cyber ââDefense” of the Center for Internet Security
- Information security standards “ISO / IEC 27000-series” published by the International Organization for Standardization and the International Electrotechnical Commission
Businesses that receive and process payment cardholder data are included if they also comply with any of the above frameworks and the current version of the Payment Card Industry Data Security Standard. (PCI-DSS).
Connecticut businesses subject to certain other regulations may benefit from the protections provided by law if they comply with the following relevant cybersecurity requirements:
- The safety requirements of the Health Insurance Portability and Accountability Act of 1996, PL 104-191, as amended from time to time, as set out in 45 CFR 164, Subpart C, as amended from time to time
- Title V of the Gramm-Leach-Bliley Act of 1999, PL 106-102, as amended from time to time
- The Federal Information Security Modernization Act 2014, PL 113-283, as amended from time to time
- The safety requirements of the Health Information Technology for Economic and Clinical Health Act, as amended from time to time, as set out in 45 CFR 162, as amended from time to time
If the applicable cybersecurity framework that a company has chosen to comply with is changed, it will have six months to update its policies to comply.
As in Ohio and Utah, businesses in Connecticut that implement a qualifying cybersecurity program in accordance with the aforementioned guidelines before a data breach earns the right to avoid punitive damages.
On the flip side, businesses operating in Ohio and Utah with qualifying cybersecurity programs may also take advantage of broad affirmative defenses against the causes of action available under the respective law that may be brought against them. as a result of a data breach, including the failure to implement reasonable cybersecurity controls. , failure to respond appropriately to a data breach, and failure to appropriately notify individuals of compromised personal information.
For businesses in Connecticut, Ohio, and Utah, realizing the benefits of these laws by implementing a qualifying cybersecurity program should be a priority. In addition, these laws are an overview of the direction other states are taking with similar laws. Finally, having an appropriate cybersecurity program in place not only helps a business in any state assess the strength and spot weaknesses in its cybersecurity program, but also demonstrates to regulators and jurors that the company has taken cybersecurity seriously when it comes to bad data. infringe.